Is explicit consent required under CCPA to collect email addresses in person?

No, the CCPA does not generally require explicit opt-in consent for collecting personal information like email addresses, unlike some other privacy laws such as GDPR. The focus is more on providing a Notice at Collection and offering consumers the right to opt-out of the sale of their data. However, transparency is key, and clear disclosure is mandatory.

How should I display the "Notice at Collection" in a physical store?

For brick-and-mortar locations, the Notice at Collection can be provided through offline methods. This includes posting a conspicuous sign at the point where email addresses are collected, such as the cash register or a sign-up kiosk. You can also print the notice directly on any physical forms used to collect email addresses, ensuring consumers are informed at or before the time of data collection. According to CCPA regulations , a business can fulfill this obligation with a disclosure on the forms used or by posting notice.

What if a customer collected in-person requests to delete their email?

If a customer requests to delete their email address, you are required to honor that request once their identity is verified. This means removing their email and any associated personal information from your databases and ensuring it's no longer used for any purposes, including marketing. Your business must have a system in place to process these deletion requests efficiently, whether the original collection was online or in-person.

Are email addresses collected in brick-and-mortar stores considered "personal information" under CCPA?

Yes, email addresses are explicitly considered a category of personal information under the CCPA. This applies regardless of whether they are collected online, through a website, or offline, such as in person at a brick-and-mortar store. Therefore, all CCPA requirements regarding notice, consumer rights, and data security apply to these collected email addresses.

What are the penalties for CCPA non-compliance regarding in-person data collection?

Non-compliance with CCPA can lead to significant penalties. Businesses can face civil penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation. Consumers also have the right to sue businesses for data breaches resulting from a failure to implement reasonable security procedures, with statutory damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

What are the CCPA requirements for collecting email addresses in person at a brick and mortar store? - Compliance - Email deliverability - Knowledge base

There's a common misconception that the California Consumer Privacy Act (CCPA) prohibits businesses from collecting email addresses in person at a physical location. This isn't entirely accurate. The CCPA doesn't forbid the collection of email addresses directly from consumers in your brick-and-mortar store, but it does impose specific obligations on how you collect, use, and manage that information. Email addresses are indeed considered personal information under the CCPA.

The key lies in understanding the transparency and consumer rights provisions of the law, which extend beyond online interactions to cover offline data collection as well. For businesses with a physical presence, adapting CCPA compliance to an in-store environment requires careful planning to ensure customers are informed and their privacy rights are upheld.

Applicability of CCPA to offline data collection

The CCPA broadly defines personal information and applies to businesses that collect this data from California residents, regardless of whether the collection occurs online or offline. This means if you're asking for an email address at your cash register, through a sign-up sheet, or via any other in-person method, you are subject to the CCPA if your business meets the specified thresholds. These thresholds typically involve annual gross revenues, the volume of personal information handled, or deriving a significant portion of revenue from selling personal information.

Email addresses are explicitly listed as an identifier and a category of personal information under the act. Therefore, any email addresses collected, even for purposes like sending an electronic receipt, fall under the CCPA's purview. This highlights the need for businesses to have a consistent approach to data privacy, regardless of the collection channel.

It's important to remember that the core of the CCPA is transparency and empowering consumers with control over their data. This principle extends to how you collect and process information in your physical store, making it crucial to integrate privacy practices into your in-person operations.

Is your business covered by CCPA?

The CCPA applies to for-profit businesses that collect personal information from California consumers and do business in California, meeting one or more of these criteria:

Annual gross revenues over $25 million.
Annually buys, sells, or shares personal information of 100,000 or more California consumers or households.
Derives 50% or more of its annual revenue from selling or sharing consumers' personal information.

If your business meets any of these, even if data collection is primarily offline, the CCPA applies. You can find more details about the law from the California Attorney General's office.

Notice at collection requirements in a physical setting

One of the most critical aspects of CCPA compliance for brick-and-mortar stores is providing a “Notice at Collection.” This notice must inform consumers, at or before the point of collection, about the categories of personal information being collected and the purposes for which that information will be used. For in-person collection, this means you can't just collect an email address without providing this disclosure.

Offline methods for providing this notice include posting clear and conspicuous signs at the point of collection, printing the notice on physical forms used to collect information, or including it in other prominent displays in your store. The goal is to ensure consumers are aware of your data collection practices before they provide their email address. For example, if you collect email addresses at checkout, a sign near the register would be appropriate.

The notice should be easy to read and understand, not hidden in fine print. It should also specify if the collected email addresses will be sold or shared, and provide instructions on how consumers can exercise their rights, such as opting out of the sale of their data. This transparency builds trust and helps ensure compliance.

Example of an in-store CCPA notice text

NOTICE AT COLLECTION OF PERSONAL INFORMATION

We collect personal information, including your email address, to provide you with services, process transactions, and send marketing communications (if you opt-in). We do not sell your personal information. For more information about your rights and our privacy practices, please ask a staff member or visit [YourWebsite.com/privacy]. You have the right to opt-out of future marketing communications.

Facilitating consumer rights for in-person data

Under the CCPA, California consumers have several rights concerning their personal information, including the right to know what data is collected, the right to request deletion of their data, and the right to opt-out of the sale or sharing of their personal information. These rights apply whether the data was collected online or in person.

For businesses with brick-and-mortar stores, this means providing accessible methods for consumers to submit requests. The law requires at least two designated methods for submitting requests, and for businesses that primarily interact with consumers offline, one of these methods must be an offline option, such as a physical form that can be submitted in person at the retail location. This ensures that consumers who provided their information offline can also exercise their rights offline.

When a customer submits a deletion request for an email address collected in person, you must be able to fulfill it. This requires having robust systems to identify and remove that specific email address and any associated personal information from all your databases. It also means ensuring that any email marketing efforts cease for that address.

If you're using collected email addresses for marketing purposes, remember that physical address disclosure is often required in the email footer, even for transactional or commercial emails, depending on broader email marketing laws like CAN-SPAM in the USA.

Online request methods

Webform: Dedicated online portal for privacy requests.
Email address: A specific email address for submitting requests, often listed in the privacy policy.

Offline request methods (for brick-and-mortar)

Toll-free number: A phone line for consumers to call in requests.
Physical form: Paper forms available in-store for submitting requests.

Maintaining data quality and compliance

Collecting email addresses in person, especially at points of sale, often results in data quality issues. Typos, fake email addresses to avoid providing real ones, or invalid formats can lead to significant deliverability problems, including high bounce rates and potential blacklisting (or blocklisting). These issues can harm your sender reputation and affect your overall email deliverability. Poor data can contribute to your domain ending up on the email blocklist.

To mitigate these risks, implementing robust data validation practices at the point of collection is crucial. This might involve using software to verify email formats in real-time or training staff to double-check entries. Additionally, regular list hygiene, including removing invalid or inactive addresses, is vital for maintaining a healthy email program and ensuring your messages reach the inbox.

Beyond data quality, businesses must also be prepared to handle various consumer requests, especially those for data deletion. The CCPA (and its successor, the CPRA) mandates that companies must delete personal information upon a verified consumer request, which applies to in-person collected data too. This means your internal processes must support such requests efficiently.

Finally, given the nuances of data privacy laws, it is always advisable to consult with legal counsel specializing in CCPA compliance to ensure your specific in-store data collection practices are fully compliant. This helps you avoid common mistakes and navigate the complexities of privacy regulations effectively.

Practice	Description	Benefit
Real-time validation	Use tools or manual checks at point of sale to verify email format and reduce errors.	Reduces typos and immediate bounces from fake email addresses.
Regular list cleaning	Periodically remove inactive, invalid, or unsubscribed email addresses.	Improves sender reputation and inbox placement. Reduces blocklist risk.
Double opt-in consideration	While not strictly required by CCPA, it confirms user intent and improves engagement.	Enhances data quality and compliance, especially with international regulations.

Views from the trenches

Best practices

Post highly visible and easy-to-read 'Notice at Collection' signs near all points of personal information collection in your store.

Provide physical forms in-store for consumers to submit their CCPA rights requests, such as access or deletion requests.

Train all staff involved in data collection on CCPA requirements and how to properly handle consumer inquiries and requests.

Common pitfalls

Assuming CCPA only applies to online data collection and ignoring in-person data capture points.

Failing to provide proper 'Notice at Collection' in physical locations, leading to non-compliance.

Collecting 'filthy' email addresses at point-of-sale, resulting in poor deliverability and potential blocklisting.

Expert tips

Consult with legal counsel specializing in CCPA to interpret specific regulations for your business model.

Implement a clear internal process for handling consumer data requests received offline.

Regularly audit your in-person data collection methods to ensure they remain compliant.

Marketer view

Marketer from Email Geeks says it seems far-fetched that collecting an email for a receipt would not be allowed under CCPA.

2021-05-18 - Email Geeks

Expert view

Expert from Email Geeks says that several CCPA requirements, particularly the Notice at Collection, are trickier to fulfill with brick-and-mortar collection methods, and existing address capture approaches may not be sufficient.

2021-05-18 - Email Geeks

Ensuring continued compliance

While collecting email addresses in person at a brick-and-mortar store is not prohibited by the CCPA, it comes with a distinct set of responsibilities. Businesses must be transparent about their data collection practices, provide clear notices at the point of collection, and offer accessible methods for consumers to exercise their privacy rights, including offline options. This ensures you meet the CCPA's intent to protect consumer data.

Proactive steps in data management and ongoing training for staff are essential for maintaining compliance and mitigating risks associated with poor data quality or unfulfilled consumer requests. By integrating CCPA requirements into your in-store operations, you can build consumer trust and avoid potential penalties while still leveraging email for business communication.